Participate

Features

Device Control is a step in the right direction but...

In the wake of the increased focus on endpoint security, controlling the use of devices that can be ...

KevinT on 2006-06-26 02:44:40

Don't believe the "Hype"

By Ari Tammam, Director, Promisec Limited

In the wake of the increased focus on endpoint security, controlling the use of devices that can be attached to endpoints, especially memory devices like USB memory sticks, has become of paramount importance to companies. While this is good elevation of awareness to a relatively new threat it should be pointed out that this threat does not exist in this format alone. Dozens of new and existing vendors have appeared in this space touting their products as being the next 'must have' security product in a network. Many of them offer granular control that allows specific devices to be used by specific individuals at specific times. Does that really address the problem?

The 'Hype' created by these vendors instills a false sense of security among companies wanting to secure their endpoints. It is important for companies to understand the difference between hype generated by vendors and the reality of how a threat can enter and affect your network. With so many vendors offering device control and protection against using memory devices, the wave of misinformation is influencing companies to make rash decisions into purchasing point solutions. These eventually will need to be supplemented by other solutions to give a more complete answer to the internal security problem, which involves multiple threats from many different angles.

Let us examine what exactly is the threat of using attachable, memory devices of any type with a desktop or laptop. For most companies it is either the theft of proprietary or confidential/classified information or the injection of malicious code or surveillance software into the corporate network. If this is the case then memory devices attached via the USB port is not your only worry. True it is a very quick and easy way to download information or upload infectious code but any IT professional worth his reputation will tell you that this is only one way to extract or inject data but certainly not the only way or the most untraceable. Take the problem of installing malicious code into a network, and please note that malicious code can be as small as a few Kb. How difficult would it be to drop in a floppy disk into a colleague's machine (you obviously wouldn't want the evidence traced back to your machine) and run the code or install a stealth application?

Introducing Malicious Code into a Network
Injecting malicious software into a company network can be done in many ways, even the type of malicious code and the way they perform can have a variety of different characteristics. Keyloggers, Spyware, Trojan Horses are all types of malware that once installed tend to hide from detection with some not even listing themselves as a process. Others disguise themselves as legitimate processes that may also avoid detection. So once inside a network malicious code can be very hard to detect and eliminate. A problem that device protection products cannot address, therefore the only time a device protection product is useful is at the point of introducing malware into the network endpoints. Even here, these solutions fall short unless every method of introducing code into a network is monitored and protected.

The list is endless and includes;

e-mail- both in the body of an e-mail, as an attachment or even a link

Instant Messenger Applications

Internet telephony service

File Sharing applications

File Transfers - FTP

Zero day viruses or worms

Floppy disks or CDs

Using the last example listed above, a user may receive a home produced music or picture CD that has some malicious executable embedded in it that is unknown to the user. In many cases the user won't think twice about running the CD on his PC at work but by doing so they may unwittingly introduce some surveillance software into the network that could either directly damage information and servers or retrieve information including passwords and confidential data. In more extreme cases, like the UBS PaineWebber attack in New Jersey, a disgruntled employee allegedly installed a piece of malicious code that brought down 2,000 of the company's servers nationwide and completely shut down the network to their 17,000 traders preventing them from working causing a loss from one day of over $3 million. Device Protection solutions are not able to identify malicious code inside the network or prevent it from being introduced into the network other than by a single method alone.

Preventing Information Leakage
If it is preventing classified information from leaving the company that you are trying to achieve then controlling the use of the USB drive and other I/O devices is only going to give you a partial answer. In cases like these where device protection vendors claim to stop confidential information leaking to unauthorized parties, they are merely marketing their solutions to you and avoiding the real world scenarios. If a disgruntled employee or an unauthorized person wants to steal classified information, using a memory device to do so is not the only avenue available. What about FTP transfers, e-mail attachments, web mail, copying to CD or DVD or simply printing off information to a hard copy? These are all very easy ways to take confidential information out of an organisation without leaving much of a trace if any at all. Even device controllers that offer granularity and control time of use and the types of device that can be used the fact that information can be leaked other than via devices means that these solutions cannot exist alone if they are to provide strong security. They will inevitably have to be part of a much broader endpoint security strategy that covers every aspect of information leakage.

To put ones faith in a single security solution that gives full granular control of any type of attachable memory device is flawed. It certainly gives a higher level of control and adds a layer of protection to your overall security but alone it is only a partial solution that is easily bypassed. Even if the solution gives full details of what information has been transferred either into or out of the organisation, by the time you have detected the breach it is too late and the information has either left the company or the malicious code is already propagating your network and the cost of eliminating the threat has dramatically increased.

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital Group